epic-ai-swarm-orchestration Security Report — Low Risk | ClawSafe

20 /100

epic-ai-swarm-orchestration

Multi-agent AI swarm orchestration system for parallel coding tasks with automatic tmux tracking, endorsement gates, integration merging, and Telegram notifications.

Legitimate multi-agent swarm orchestration system with undocumented but standard shell/filesystem/network operations; bypassPermissions and auto-endorsement in batch mode are concerning but documented behavior.

Skill Nameepic-ai-swarm-orchestration

Duration81.7s

Enginepi

✓

Safe to install

Declare bypassPermissions usage and auto-endorsement in SKILL.md. Consider documenting allowed-tools mapping explicitly. Add version pinning to agent CLIs (claude, codex, gemini) referenced in scripts.

Findings 6 items

Severity	Finding	Location
Medium	bypassPermissions not declared in SKILL.md Doc Mismatch spawn-agent.sh spawns Claude agents with --permission-mode bypassPermissions, which is a significant privilege elevation. SKILL.md describes the endorsement system but never mentions that spawned agents run with permission bypass. While this is necessary for automated agent operation, the lack of declaration is a doc-to-code mismatch. `claude --model "$model" --permission-mode bypassPermissions --print "$PROMPT"` → Add a 'Security Notes' or 'Permissions' section to SKILL.md explicitly stating that spawned Claude agents run with bypassPermissions, and that this is required for automated non-interactive operation.	`scripts/spawn-agent.sh:178`
Medium	Auto-endorsement bypasses human approval gate Priv Escalation spawn-batch.sh uses 'endorse-task.sh --batch' which auto-endorses all tasks in a batch without requiring the 30-second cooldown or explicit per-task endorsement. The script comments explain this is for verbal batch approval, but SKILL.md hard rules only mention 'endorse-task.sh', not the --batch shortcut. A malicious orchestrator could exploit this to auto-spawn without presenting the plan. `"$ENDORSE_SCRIPT" --batch "$TASK_ID" >/dev/null` → Document the --batch endorsement mechanism in SKILL.md hard rules section, and add a confirmation step or audit trail for batch auto-endorsement.	`scripts/spawn-batch.sh:89`
Low	Dynamic script generation not documented Doc Mismatch spawn-agent.sh dynamically generates runner scripts (spawn-agent.sh:170-224) with heredoc syntax, substitutes variables via sed, and executes them. SKILL.md describes 'spawn-agent.sh <args>' as a simple invocation without mentioning the internal script generation. This is a non-security issue but contributes to doc-code mismatch. `cat > "$RUNNER_SCRIPT" << 'RUNNER_HEREDOC_EOF' ... sed -i ... "$RUNNER_SCRIPT"` → Document internal script generation in SKILL.md or add a 'How it works' section explaining the runner script mechanism.	`scripts/spawn-agent.sh:170`
Low	Agent CLIs not pinned to versions Supply Chain Scripts reference 'claude', 'codex', 'gemini' without version constraints. model-fallback.sh and assess-models.sh test availability at runtime, and assess-models.sh can update duty-table.json with different model names. An attacker with control over model names in the duty table could redirect to a different model or command injection if model names are not validated. `FALLBACK_CHAINS[architect]="claude:claude-opus-4-6 ..."` → Validate agent/model names against an allowlist before using them in commands. Pin CLI versions where possible.	`scripts/model-fallback.sh:30`
Low	Spawned agent prompts include untrusted work log content Prompt Injection Reviewer and integrator prompts inject the content of /tmp/worklog-{session}.md files directly into the LLM prompt via heredoc. If an attacker-controlled task could write malicious content to a work log, it could influence the reviewer's behavior. The same applies to task descriptions loaded from external files. `WORKLOG_CONTENT=$(cat "$WORKLOG") ... $WORKLOG_CONTENT` → Treat work log content as untrusted input; consider sanitization or using a separate context channel rather than direct injection into the prompt.	`scripts/notify-on-complete.sh:187`
Low	Sources user bashrc at startup Sensitive Access spawn-agent.sh and assess-models.sh source $HOME/.bashrc, which may contain user-specific environment variables, aliases, or PATH modifications. While this is common for shell tools, it could introduce unexpected behavior or conflict with sandboxing. `[ -f "$HOME/.bashrc" ] && source "$HOME/.bashrc" 2>/dev/null \|\| true` → Document that sourcing .bashrc is expected behavior. Consider documenting this in SKILL.md setup section.	`scripts/spawn-agent.sh:18`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✓ Aligned	spawn-agent.sh:178-224 dynamically generates runner scripts executed via bash
Filesystem	`NONE`	`WRITE`	✓ Aligned	spawn-agent.sh writes to SWARM_DIR, PROJECT_DIR, duty-table.json
Network	`NONE`	`READ`	✓ Aligned	deploy-notify.sh polls GitHub Actions API via gh CLI
Environment	`NONE`	`READ`	✓ Aligned	spawn-agent.sh sources $HOME/.bashrc and reads SWARM_NOTIFY_TARGET, SWARM_MAX_CO…
Skill Invoke	`NONE`	`WRITE`	✓ Aligned	notify-on-complete.sh spawns reviewer agents; integration-watcher.sh spawns inte…

File Tree

44 files · 208.4 KB · 5203 lines

Shell 22f · 3341L Markdown 21f · 1669L JSON 1f · 193L

├─ ▾ 📁 docs

│ ├─ ▾ 📁 decisions

│ │ └─ 📝 2026-03-28.md Markdown 11L · 505 B

│ ├─ ▾ 📁 history

│ │ ├─ 📝 2026-03-28-claude-swarm-cleanup.md Markdown 28L · 1.9 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-decisions.md Markdown 28L · 1.6 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-e2e-test.md Markdown 29L · 1.5 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-e2e-v301.md Markdown 29L · 1.5 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-escalation.md Markdown 30L · 2.0 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-handoff.md Markdown 42L · 2.9 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-inbox.md Markdown 49L · 2.6 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-maxconcurrent.md Markdown 68L · 5.2 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-planformat.md Markdown 30L · 1.9 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-standup.md Markdown 29L · 1.9 KB

│ │ ├─ 📝 2026-03-28-claude-swarm-statemachine.md Markdown 63L · 4.2 KB

│ │ └─ 📝 2026-03-28-integration.md Markdown 463L · 29.0 KB

│ └─ 📝 ESR.md Markdown 79L · 3.7 KB

├─ ▾ 📁 references

│ ├─ 📝 duty-table.md Markdown 117L · 3.6 KB

│ ├─ 📝 eor-template.md Markdown 28L · 420 B

│ ├─ 📝 tools.md Markdown 111L · 3.4 KB

│ └─ 📝 workflow.md Markdown 113L · 3.8 KB

├─ ▾ 📁 roles

│ └─ ▾ 📁 swarm-lead

│ ├─ 📝 ROLE.md Markdown 125L · 6.5 KB

│ └─ 📝 TOOLS.md Markdown 61L · 2.5 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 assess-models.sh Shell 279L · 10.9 KB

│ ├─ 🔧 check-agents.sh Shell 94L · 3.2 KB

│ ├─ 🔧 cleanup.sh Shell 220L · 6.3 KB

│ ├─ 🔧 daily-standup.sh Shell 182L · 5.5 KB

│ ├─ 🔧 deploy-notify.sh Shell 58L · 1.9 KB

│ ├─ 📋 duty-table.template.json JSON 193L · 10.3 KB

│ ├─ 🔧 endorse-task.sh Shell 40L · 1.2 KB

│ ├─ 🔧 esr-log.sh Shell 100L · 2.9 KB

│ ├─ 🔧 fallback-swap.sh Shell 132L · 4.5 KB

│ ├─ 🔧 inbox-add.sh Shell 63L · 1.9 KB

│ ├─ 🔧 inbox-clear.sh Shell 74L · 1.7 KB

│ ├─ 🔧 inbox-list.sh Shell 52L · 1.0 KB

│ ├─ 🔧 integration-watcher.sh Shell 366L · 13.0 KB

│ ├─ 🔧 migrate-orphaned-tasks.sh Shell 67L · 1.9 KB

│ ├─ 🔧 model-fallback.sh Shell 66L · 2.6 KB

│ ├─ 🔧 notify-on-complete.sh Shell 418L · 16.7 KB

│ ├─ 🔧 pulse-check.sh Shell 167L · 5.6 KB

│ ├─ 🔧 queue-watcher.sh Shell 122L · 4.2 KB

│ ├─ 🔧 spawn-agent.sh Shell 392L · 12.6 KB

│ ├─ 🔧 spawn-batch.sh Shell 248L · 8.7 KB

│ ├─ 🔧 start-integration.sh Shell 61L · 2.0 KB

│ ├─ 🔧 try-model.sh Shell 33L · 1023 B

│ └─ 🔧 update-task-status.sh Shell 107L · 3.1 KB

└─ 📝 SKILL.md Markdown 136L · 5.1 KB

Dependencies 8 items

Package	Version	Source	Known Vulns	Notes
`bash`	`4+`	system	No	Required shell; macOS ships bash 3.x, upgrade recommended
`tmux`	`any`	system	No	Terminal multiplexing for agent isolation
`git + gh`	`any`	system	No	Version control and PR creation
`jq`	`any`	system	No	JSON processing
`claude CLI`	`unpinned`	external	No	Claude Code CLI; version not pinned in scripts
`codex CLI`	`unpinned`	external	No	OpenAI Codex CLI; version not pinned in scripts
`gemini CLI`	`unpinned`	external	No	Google Gemini CLI; version not pinned in scripts
`openclaw`	`any`	optional	No	Optional notification tool (Telegram/Discord)

Security Positives

✓ No credential harvesting or exfiltration — network calls limited to GitHub Actions API and Telegram notifications

✓ No obfuscation, base64-encoded payloads, or hidden instructions found

✓ No reverse shell, C2 infrastructure, or direct IP network connections

✓ Endorsement system provides a human-in-the-loop approval gate before spawning

✓ Git operations scoped to project directory; no access to ~/.ssh, ~/.aws, or .env files

✓ Cleanup script removes stale temp files and endorsement files

✓ No cron/scheduled task persistence mechanisms

✓ Dependencies are standard tools (bash, tmux, git, gh, jq, python3) — no external pip/npm packages

✓ No typosquatting or malicious supply chain indicators

Scan Report

Findings 6 items

File Tree

Dependencies 8 items

Security Positives